Security

 View Only
Expand all | Collapse all

Multiple CRL URLS for single CRL list

This thread has been viewed 4 times
  • 1.  Multiple CRL URLS for single CRL list

    Posted Aug 25, 2023 08:09 AM

    Sadly we are using CRLs to check for cert revocation and not OCSOP. Currently we specify a single URL to pull down the CRL.

    We have multiple URLs that can access different copies of the same CRL 

    With the current 1 url setup if cppm fails to download the CRL list, the default is to reject any TLS auths ... as we found out.

    Can we specify  multiple URLs for the same CRL list? What happens if 1 url fail and the othrer  succeeds ?

    A



  • 2.  RE: Multiple CRL URLS for single CRL list

    Posted Sep 04, 2023 04:34 AM

    I don't think you should have multiple URLs for a CRL. What may work is to have a round-robin DNS (multiple A records for same FQDN) to different servers that host the (same) CRL, and ClearPass should try another A record. It also depends how the CRL download fails, but CRL services should be rock-solid. And if CRL server can't be reached, it takes some time (validity time of the CRL) before there should be rejected authentications.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------